Mobile Threat Blog

Share

XcodeGhost – What You Need To Know

Background

A security researcher at Palo Alto Networks discovered 3rd party modified versions of Apple’s iOS software development environment – Xcode – that injects code into apps that are built with the modified version. He was able to identify the affected apps that made it into Apple’s AppStore and published a blog post about it last Thursday, September 17th.

The idea to modify a software development environment to inject potentially malicious code into commercially available applications is not a new one but it’s one of the weak links that can be used to infect a larger number of devices through distribution via the app stores.

The identified “malware” was called XCodeGhost, and it adds a set of hidden functionality to any infected the app. Surprisingly, a lot of these behaviors are very similar to what you would expect from an analytics framework as well: It collects all kinds of device information and sends it to a remote server. In addition, the response to those requests are able to trigger a standard iOS alert and able to open a given URL or show the AppStore page of a given app.

Given our risk analysis results of infected apps regarding their actual behavior, we feel that “AdWare” might be a more appropriate classification rather than malicious “malware”. It would have been easy to add more harmful behaviours to the code and we might see that in the future, but the author of XCodeGhost chose not to implement them in the versions we analyzed.

XCodeGhost seems to be far more widespread than initially assumed. We were able to identify 476 affected apps for our customers from within our database – which is far more than the initial finding of around 40 apps would suggest.

We had a closer look at the data and were able to track the start of the infection to April 2015 with a significant uptick in infections over this last month of September. The corresponding Xcode release dates suggest that the infected version of Xcode 6.4 is far more widespread than older versions. The next few weeks will tell us if we see a decreasing number of infections due to the release of Xcode 7 and an improved AppStore review process.

Please note that the date corresponds to the date where we added the app to our database and may not match the exact date the app was released on the iTunes AppStore.

Technical Details

We analyzed the published samples and were able to reconstruct the following behaviour:

Sends requests to the server (using a fixed timer interval between requests)

The request contains all kinds of device identifiers (like a typical tracking framework)

The response can trigger different actions:

Shows an AppStore item within the app by using a SKStoreProductViewControllerDelegate

Showing an UIAlertView and show the AppStore view depending on which button was tapped

Open an URL

Sleeping for a given time

In addition, all status changes of the app (foreground, background, terminated) and the dismissing of the AlertView will be sent back to the server (like apps with tracking frameworks would do as well).

In addition we would like to clarify some misunderstandings you will find in current news media reports:

Pasteboard

The newer version of the framework contains additional code which is utilizing the UIPasteboard class to create multiple private pasteboards to keep track of the current state of the app. Those private pasteboards are different from the user accessible “copy & paste” pasteboard (called “generalPasteboard”).

Phishing

The framework itself contains no code to display login prompts or alerts of any kind that could be used to phish credentials (the alert has no field for text input). The only way to launch a phishing attack using this framework would be to send the response to open a URL pointing to a malicious website.

Impact

The actual impact to device and enterprise security is surprisingly low – at least compared to this particular attack vector, distribution and the potentially technical facilities.

The identified versions of XCodeGhost actually behaved more like AdWare or tracking frameworks rather than malicious malware, and we don’t see it as an immediate security threat. But that example proved that it is possible to create code to infect multiple popular AppStore apps and get through the AppStore review process.

Recommendations

Enterprises should keep their devices always up to date regarding app and iOS system updates. Developers should download developer tools directly from the vendor or at least verify the integrity of the download using checksums.

Customers with any of the affected apps in their organization’s app environment are being proactively notified by Appthority team.